Phaedsys Banner
Cost effective Safety Critical and High Reliability Embedded Systems Tools
 |  Cyber Security |  IOT & Security  (yet again)  | Met Gun Security Lapse |
 | Phishing | Intel vulnerabilities | Intel Vulnerabilities | more Security |
Visit us online
 
It has been almost impossible to avoid cybersecurity in the last few days, so this bumper issue covers several aspects of recent events. What is clear is that much of the damage has been because people haven't used either common sense and/or the tools that are available
PhaedruS SystemS
Michael Barr at ESC
We will start with a scene setter for some of the other items we are covering. Michael Barr is recognised as a leader in the development of embedded systems, and a couple of weeks ago he gave a keynote presentation at ESC. It is here
https://barrgroup.com/content/esc-boston-dangerous-flaws-safety-critical-device-design and is well worth the 40 minutes of your time to view and as well as a discussion of some (the then) recent security events – such as the Mirai bot, it also incorporates some of the findings of the Barr Group's survey of embedded developers. At around 18 minutes there are some frightening figures about the poor process development of many embedded developers, including those whose products have the ability to injure or even kill.
 
One opening comment is "The embedded systems that we build are increasingly a battlefield" as they are used as transmission points for things like Distributed Denial of Service attacks on web sites. The owners of the embedded systems are not even aware that they are being used.
Aga Saga: Remote Control Cooking
The traditional middle class status symbol of the Aga stove is now a connected device. This was a surprise to Ken Munro of Pen Test Partners, specialists in breaking into systems and providing consultancy on security. ( https://www.pentestpartners.com/blog/iot-aga-cast-iron-security-flaw/ )
 
When Ken was shopping for a new one. The top end model can be controlled from a mobile phone through a web app. And the Aga itself uses a GSM SIM. (Not certain how that works if you are in a remote part of the country with poor mobile coverage – typical Aga users I would have thought!)
 
Simplifying greatly he discovered that themobile app communicates to the web site using plain text http, no encryption at all. The web site then sends plain text SMS instructions to the Aga. A hacker can easily send plain text messages to turn the target Aga off and on. After a series of attempts to communicate with Aga, which met with being ignored, being blocked on Twitter for trying to get private DM for a security issue, he finally spoke to a real person, who while interested couldn't see any urgency as 'we've had no reports of customers having their Agas hacked'.
 
Pen Test also has a story about a female sex toy with a built in camera and a wifi connection. One has to ask "Why would anyone want one?" If you really want to know more, go to 
Big Boys did it and ran away.....
Two stories of cyber issues involved the big boys, Microsoft and Intel (and the NSA)
 
Microsoft has stopped supporting Windows XP, but there are millions of PCs still running it. Some time ago the NSA discovered a vulnerability in XP and added it to their hacking tool kit. The kit has now been stolen and the vulnerability has been exploited by some bad guys to lock PCs running XP and demand a ransom.
 
It is still not clear how many have been infected, certainly hundreds of thousands as once the malware is in a network it spreads. Microsoft issued a patch and received praise until it was discovered that the patch was several months old, and while they knew about the problem, as they no longer support XP they didn't make it publically known. If you have an XP based machine the patch can be downloaded from
 
WinXP users NOTE you have to use the link above because (as of May 2017) WinXP will NOT auto -update to fix this.
 
You will only be infected if you downloaded an email with the malware, but even if you have no email on the machine it is probably worth patching.
 
Intel has a very different story. Many of their processors, particularly those for servers in data centres have a secondary processor running n Intel's Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware, which allows the main processor to be remotely re-configured.
 
This has a vulnerability which potentially allows a third party to get and reconfigure for their own purposes. Many companies elling products using the processors are supplying patches. You should check your PC's and Laptops that use INTEL Processors.
Phishing
One of the ways into networks is through e-mails that carry an evil payload. This may be a Word attachment that runs macros (You do have macros in Word turned off – don't you?) or it might be a link to a website that downloads without your seeing it.
 
But the phishing may also be simpler criminality. In the last few weeks we have had two alerts from one of our principals. The first alerted us to possible email that appeared to come from their accounts receivable, giving a fake bank account for payments, and the second was to warn about e-mails apparently from their CEO and linked to something unrevealed.
 
Last year the accounts department of an Austrian aerospace company received a number of invoices that appeared to have been approved by their CFO, but in fact were from a third party. Several were paid before things were discovered.
False address
As well as faking the addresses in email headers, the black hats have found a way to fake addresses in links in the email, or even on web sites.
 
Using a technique called homograph attack, they can use Cyrillic characters in Unicode mixed with normal ASCII codes to create words that look like legitimate sites but are not. For example apple.com can, if properly manipulated, link you to xn--80ak6aa92e.com. Read more at
Giving it away....
But as well as people attacking we are seeing issues of legitimate holders of information, passing it to other people. For example The Register reported that 30,000 UK gun-owners who have registered with the Metropolitan Police have received a promotional campaign from Smartwater – a purveyor of invisible ink for marking valuables - despite the owners believing that the information they provided was confidential to the Metropolitan Police. It seems 3rd parties now have the addresses of all the legitimate gun owners in the Greater London area. 
 
In another story, DeepMind, an AI company owned by Google has been given access to the patient data of the Royal Free NHS Trust – that is 1.6 million patients a year. That is simplifying greatly but the full, unsettling story is in the New Scientist https://www.newscientist.com/article/2086454-revealed-google-ai-has-access-to-huge-haul-of-nhs-patient-data/
 
Funny
Despite the horrors there is still room for humour about Internet connectivity, as seen here with that icon of "Why would one ever want one?" the Internet toaster. https://www.arcamax.com/thefunnies/deflocked/s-1949569

Whilst on  toasters there is the humorous and still relevant tale of the Kings Toaster. http://www.phaedsys.com/resources/technicalpapers/kingstoaster.pdf
Are you contributing to global warming?
It is one of life's ironies that while hardware designers fight to save milli-watts in power consumption, programmers remain blissfully unaware of the consequences of their coding decisions on the target hardware. This is bad enough but as is explained in http://winzenttech.com/wp-content/uploads/Crappy-programmers.pdf "...
 
crappy programming results in an enormous waste of energy. The global cost is at least 75% of $600 billion, or $450 billion."
MISRA C training
PRQA has organised a two day training course on MISRA C:2012. It runs on June 27.8 at tin Birmingham and s designed to help and support software development teams to write, verify and validate safety & mission critical applications.
 
The Death of Phaedrus
Some of you may have wondered where the name Phaedrus comes from. It was inspired by the narrator of "Zen and the Art of Motorcycle Maintenance" by Robert Pirsig. See http://www.phaedsys.com/company_data/thename.html
 

Published in 1974 it is a mixture of philosophy, motorcycles and engineering. I should point that in the introduction he wrote "However, it should in no way be associated with that great body of factual information relating to orthodox Zen Buddhist practice. It's not very factual on motorcycles, either." 
 
However Persig's book does look at the Metaphysics of Quality (MoQ) which is of direct relevance to Software Engineering.
 
Phaedrus is also one of Plato's characters in his discourses with Socrates.
 
Robert died a few days ago and the world is a poorer place. https://www.theguardian.com/books/2017/apr/25/robert-pirsig-obituary 
 
Hopefully our next newsletter will be less about the Cyber world falling apart. the tools and methods to prevent most of it are (or should be) in your hands already.
 
Finally, stolen unapologetically from Jack Gansle's newsletter -
"Without requirements and design, programming is the art of adding bugs to an empty text file." - Louis Srygley
 
Forward this email
Forward
 
Tel: 0808 1800 358Email usVisit us online
PhaedruS SystemS Ltd, 96 Brambling, Tamworth, Staffs, B77 5PG, UK
Registered in England with Company Number 04120771
learn more about  newzapp email marketing This message was sent to info@phaedsys.com by PhaedruS SystemS Ltd using newzapp email marketing. Follow this link to .